A vulnerability discovered by two graduate students at UC Berkeley would allow attackers to eavesdrop on and even modify calls and text messages sent via T-Mobile’s “Wi-Fi Calling” feature. The feature, which the researchers estimate is installed on millions of T-Mobile Android smartphones, allows customers to make and receive calls and text messages even when they don’t have cellular reception.

UC Berkeley students found a security flaw in T-Mobile Android smartphones. (iStock)

Jethro Beekman and Christopher Thompson, both UC Berkeley graduate students, notified T-Mobile of their findings in December 2012, and worked with Darren Kress, T-Mobile’s senior manager for Mobile Assurance and Product Security, to confirm and fix the problem. T-Mobile reports that as of March 18, all affected customers have received the security update fixing this vulnerability.

Beekman and Thompson found that when an affected phone connected to a server via T-Mobile’s Wi-Fi Calling feature, it did not correctly validate the server’s security certificate, exposing calls and text messages to a “man-in-the-middle” attack. Without this proper verification, hackers could have created a fake certificate and pretend to be the T-Mobile server. This would have allowed attackers to listen to and modify traffic between a phone and the server, letting them intercept and decrypt voice calls and text messages sent over Wi-Fi Calling.

The simplest way to become a man-in-the-middle would be for the attacker to be on the same open wireless network as the victim, such as at a coffee shop or other public space.

To discover and implement the attack, the researchers reverse engineered the Wi-Fi Calling feature, which uses a standard voice-over-IP protocol over an encrypted connection.

The update to fix this vulnerability, verified by Beekman and Thompson, is now included with T-Mobile’s Wi-Fi Calling application.